RIM Responds To ElcomSoft Encryption Exploits

About a week ago we wrote an article about the Russian company ElcomSoft, and their ability to exploit BlackBerry encryption. This was big news as there were no known ways to crack or hack a BlackBerry device in the manner described by ElcomSoft. We also stated that there was no reason to sound the alarms, and declare BlackBerry an insecure device. We all know that BlackBerry remains one of the most secure devices on the planet. However, I know its important for various reasons, that users be made aware of tactics that an attacker can use to gain entry to their personal information.

On Saturday we received a response from RIM's BlackBerry Security Incident Response Team (BBSIRT) regarding the exploits found by ElcomSoft. The following is the response we got from RIM:

The article states that the tool uses a brute-force attack to guess the
smartphone password by attempting to decrypt the contents of a media
card that has been removed from the smartphone. For this tool to do
what Elcomsoft claims, an IT administrator or the smartphone user must have
chosen to encrypt the contents of the media card with the smartphone
password only. Furthermore, an attacker must have access to the media
card from the smartphone, and the tool would have to successfully guess
the password. To then use the password to unlock the smartphone, that
attacker would also have to have access to the smartphone.

For stronger protection, users can choose to encrypt the contents of an
optional media card, choose the option to encrypt using a device key or
the combination of a device key and the device password. See Enforcing
encryption of internal and external file systems on BlackBerry devices
for more information.

To increase the difficulty of guessing passwords, RIM recommends that
users always use strong passwords. A strong password has the following
characteristics: includes punctuation marks, numbers, capital and
lowercase letters does not include the user name, account name, or any
word or phrase that would be easily guessed.

The security of mobile devices and major networked systems is tested by
third party security researchers every day. RIM also continually tests
the security of its own products, and volunteers its products to
recognized industry experts for security testing and certification to
help identify possible security vulnerabilities and protect BlackBerry
customers against potential security threats.

Lets break down the response a little bit. The first paragraph we already discussed in the original article, basically the attacker would need physical access to your phone. So no remote exploit here, but how many times have you left or forgotten your phone some place. The next two paragraphs give us some pointers on how to block our devices against an attack like this. Although RIM did not specifically address the second exploit that takes advantage of BlackBerry Password Keeper, and BlackBerry Wallet, using a strong password will most likely take care of that.

Ok so lets bring it all home. If you choose to encrypt your optional media card make sure you use a combination of a
device key and the device password. Always use a complex password with a strong password that includes a combination of punctuation marks, numbers, capital and lowercase letters does not include your name, account name,or any word or phrase that would be easily guessed. Lets also remember that this is proprietary software developed by ElcomSoft, and at this point ElcomSoft is the only company that has it. However, anyone can purchase the software.